Field of the Invention
Embodiments of the present invention generally relate to a secure application development platform, and, in particular, to a system and method for developing secure mobile applications to access sensitive data such as health information.
Description of Related Art
Mobile health (“mHealth”) is a term for medical and public health practice supported by communication terminals such as mobile phones, patient monitoring devices, personal digital assistants (PDAs), and other mobile or wireless devices. mHealth involves the use of voice and short messaging service (SMS) as well as more complex technologies such as mobile data communication systems (e.g., 3G, 4G, 4GLTE, etc.), global positioning systems (GPS), and Bluetooth technology.
The advanced computing capability of smartphones that are typically optimized for internet usage allows individuals to access sensitive data, personal information and advice (including but not limited to that related to health and medical care) from anywhere at any time. The smartphones also provide functionality that is not available via a laptop such as an ability to capture information from sensors on the move and the addition of GPS and camera functions. The sensitive data, personal information and advice may be collectively referred to herein as sensitive personal information, unless a different meaning is clearly indicated either explicitly or by the context of usage.
A mobile application (or mobile app) is a software application designed to run on smartphones, tablet computers and other mobile devices. Some mobile apps are used to deliver sensitive personal information such as health care information to consumers, or to gather and send health status information from a consumer to a health care provider. Not all mobile apps relating to the exchange of sensitive personal information, for example those that have been developed in healthcare are widely available to consumers. Some of the most advanced medical apps are not necessarily designed to target general consumers. Some mobile apps have been designed for healthcare practitioners, others are for patients but require a prescription, and others are intended for only a small subset of patients. Some mobile apps require approval by the U.S. Food and Drug Administration (FDA). A mobile app may also be able to execute on other platforms such as a personal computer (PC) if it has been ported to the underlying operating system, e.g., from Android to Windows or iOS. As used herein, the term “mobile app” or “mobile application” may include an application that executes on a PC (e.g., desktop, tower, laptop, netbook, etc.) or other general-purpose consumer-computing device, without limitation to a mobile device unless mobility provides a stated benefit or unless otherwise clearly restricted by the context of usage.
Certain sensitive personal information like patient health information is protected by law (e.g., Healthcare Information Portability and Accountability Act (“HIPAA,” codified at 42 U.S.C. §300 gg and 29 U.S.C §1181 et seq. and 42 USC 1320d et seq.) in the U.S.) and must be treated in a way that maintains patient privacy. Such information is termed protected health information (PHI). With respect to PHI, it is important that there is both transparency and awareness of how data entered into a mobile app is used, and that patient consent is obtained for use of PHI data. If a healthcare mobile app collects, stores, and/or transmits PHI, it is essential that the mobile app does so in full compliance with HIPAA and any other applicable laws or regulations of the country concerned. Any mobile app that is intended to connect to an Electronic Health Record (EHR) or Personal Health Record (PHR), which enables users to send and retrieve patient information between a mobile device and the EHR/PHR, must do so in a secure manner and all stakeholders involved must accept their stewardship role for protecting the PHI data contained within.
Data security encompasses several aspects of security, such as confidentiality (e.g., by use of encryption), integrity, availability, authenticity, non-repudiation, and access control, each one at different levels of the information life cycle. Data security is provided by use of encryption. Encryption is a standard tool for ensuring the privacy of data and communications. A variety of encryption schemes are commercially available to secure protected information, for example the Advanced Encryption Standard (AES), promulgated by the National Institute of Standards and Technology (NIST) as Federal Information Processing Standards Publication 197, Nov. 26, 2001. AES is a symmetric encryption scheme, such that a same cipher key is used for both encoding and decoding. The AES scheme itself exists in multiple variations, such as AES counter mode, AES cipher block chaining (CBC)+cipher text stealing (CTS), RSA, and so forth. Some variations of AES may be described in Request for Comment (RFC) 3962, “Advanced Encryption Standard (AES) Encryption for Kerberos 5,” February 2005, and references cited therein.
Mobile applications are increasingly more important to companies in the conduct of business with customers and suppliers. In the case of organizations that deal with sensitive personal information such as health information, mobilization is highly desirable in order to reach patients directly, however, a mobile application that complies with all the security and architectural requirement required by HIPAA, is very difficult to build.
Mobile applications also contain interfaces to allow applications to undertake tasks that are not directly supported by the underlying operating system, such as secure messaging and surveys, and to undertake tasks that involve communication to devices that reside outside of the mobile device but have communication connectivity with the mobile device, such as Bluetooth devices, GPS, and so forth. Mobile devices evolve over time, and new features are added to them, so new interfaces will be added to mobile devices in order to support the new features. Although supporting new features may require updates to the operating system or application development tools, such updates do not happen very often compared to the frequency of configuration changes to application programs on the mobile device.
A major difficulty with supporting mobile devices is the policy and procedures with respect to updating the version of application programs deployed on mobile devices. When an updated application program is available, all users that have the application program must update the version of the application programs within their mobile. Some application programs provide a short versioning time (i.e., a length of time during which a particular version is a current version), other application programs may require longer versioning time, depending on a long list of factors such us stability, dynamic market, technical OS requirements, and so forth. Updating the application program version normally requires that a mobile device user communicate with a server such as an online app store and retrieve the new copy of the application program. This process may be slow and difficult because app stores tend to restrict application programs and delay the process of publishing new versions of the application programs.
Furthermore, most systems for mobile application development suffer deficiencies in their level of integration. Current implementations of applications for mobile devices predefine or hardcode the graphical user interface (GUI), data structure and logic, which are then packed together when the application is downloaded from the store or hosting server. Other types of mobile applications work completely online in a client/server mode to get or use the GUI, data structure and logic while the mobile device is connected to a server, and cannot operate effectively if there is no data connection to the server. Other applications have their GUI, data structure and logic hardcoded but allow connectivity to a server in order to synchronize data. A mobile device used as a client can execute only a predefined set of functions and have a predefined GUI.
Some known systems for mobile application development allow the creation of functions dynamically (e.g., for GUI, logic and data), and deliver those functions wirelessly, but lack integrated security in the communication, storage and process. Nor do such systems take into consideration that the server is an important part of the system in order to provide data recovery, security administration and the adoption of other types of access to information from the mobile device.
Therefore, what is needed is an integrated development platform to develop cryptographically secure mobile applications for mobile device users, the applications including but not limited to: mHealth uses; applications that implement government security standards such as HIPAA and NIST/FIPS; applications that communicate with server applications to dynamically update GUI, logic and data; applications that work online and offline; applications that can reconstruct their state and data in case the mobile device is lost or changed; and so forth.